RE: Can I use opensnitch?

Yes, the firewall stays active after rebooting.

I've also checked if the firewall was perhaps circumvented by looking at the NAT log of my router. No entry, so it seems to work.

Another idea might be: If you, say, currently need Cloudflare for surfing the net, then you could enable just these IP ranges by making a separate text file and running this command:

while read line; do sudo ufw allow out from any to $line; done < ip-ranges-cloudflare.txt

I only changed in the first script "deny" to "allow".

These would be the IP ranges:

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32

To get a similar functionally like opensnitch I ended up doing this.

I enabled the firewall ufw:

sudo ufw enable

I created a text file with the ip ranges of Canonical, Cloudflare and Digital Ocean:

162.213.32.0/24
162.213.34.0/24
162.213.35.0/24
185.125.188.0/23
185.125.190.0/24
194.169.254.0/24
91.189.89.0/24
91.189.91.0/24
91.189.95.0/24
2001:67c:1560::/48
2001:67c:1561::/48
2001:67c:1562::/48
2620:2d:4000::/48
2620:2d:4001::/48
2620:2d:4002::/48
2620:2d:4003::/48
173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22
2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32
103.253.144.0/22
104.131.0.0/18
104.131.128.0/20
104.131.144.0/20
104.131.160.0/20
104.131.176.0/20
104.131.192.0/19
104.131.224.0/19
104.131.64.0/18
104.236.0.0/18
2400:6180:100::/40
2400:6180:10::/48
2400:6180::/48
2604:a880:1::/48
2604:a880:2::/48
2604:a880:3::/48
2604:a880:400::/48
2604:a880:4::/48
2604:a880::/48
2604:a880:800::/48

Finally, I added all these rules to ufw:

while read line; do sudo ufw deny out from any to $line; done < ip-ranges-canonical-cloudflare.txt

You can check if it worked like this:

sudo ufw status

Please note: Updates and automatically setting the time, probably GPS won't work anymore because they go through these IPs. Also websites that use Cloudflare won't work, obviously.

When you need any of this simply turn off the firewall:

sudo ufw disable

If you'd like to see details of what the firewall does, you can use this:

journalctl | grep '\[UFW '

Ok, I did some more digging: I installed tcptrack to see if I could get outside of the sandbox. Didn't work so opensnitch wouldn't work either even if I would get it installed.

Found it:

jounalctl | grep -i ufw

Hey everyone,

Is there a way to use opensnitch? I tried installing it on Libertine but it failed starting because some QT dependencies where missing. Besides, it might not work anyway since it would run in the sandbox?

Thanks!

Hey everyone,

I'am trying to set up ufw but it's rather difficult without access to the logs. I looked at /var/logs but couldn't seen any ufw logs.

Thanks!